Data protection
All organisations must comply with the applicable data protection legislation when processing personal data, regardless if you are a public authority, a small company or an association.

This applies accordning to the GDPR
You must comply with the GDPR when processing personal data.

Lawful grounds for personal data processing
In order to process personal data, you must have a lawful ground.

The GDPR fundamental principles
All processing of personal data must comply with the basic principles of the GDPR.

Information security
Processed personal data must be protected.

Notification of a personal data breach
Data controllers are obligated to report certain personal data breaches to IMY.

Transfer of personal data to a third country
When personal data is sent outside the EU/EEA, the rules for transfer to third countries apply.

Data protection officers
In certain cases, you must have a data protection officer.

Data controllers and data processors
You are either a data controller or a data processor.

Impact assessments and prior consultation
Impact assessment aims to prevent risks and protect personal data.
Learn more about data protection
GDPR guide for small and medium-sized businesses

News from IMY
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.
Latest update: 5 June 2025
Page labels
Data protection